State cyberspies wriggle into satellites for super-duper sneaky ops

A group of state-sponsored hackers have taken to hiding their location and activities by exploiting satellite communications.

A Russian-speaking cyber-espionage group which exploits the Turla malware is using satellites to achieve greater anonymity, according to new research from Kaspersky Lab. The group is exploiting security weaknesses in global satellite networks as part of its tradecraft.

Turla is a sophisticated cyber-espionage group that has been active for more than eight years, infecting hundreds of computers in more than 45 countries including Kazakhstan, Russia, China, Vietnam and the United States. Government institutions and embassies, as well as military, education, research and pharmaceutical companies have all been targeted by the Turla APT crew at one time or another.

Initially the group uses the Epic backdoor to profile victims. In rare cases – for the most high profile targets – the hackers use satellite-based communication in the later stages of attacks, in an apparent effort to hide their tracks.

Satellite communications are mostly used in remote locations where all other types of internet access are either unstable and slow, or not available at all. One of the most widespread and inexpensive types of satellite-based internet connection is via a so-called downstream-only connection. In these set-ups, outgoing requests from a user’s PC are communicated through conventional lines (a wired or GPRS connection), with all the incoming traffic coming from the satellite.

This technology allows the user to get a relatively fast download speed. The one big disadvantage, especially from a security perspective, is that all the downstream traffic comes back to the PC unencrypted. Any rogue user with the right set of inexpensive equipment and software could simply intercept the traffic and get access to all the data that users of these links are downloading.

The Turla group takes advantage of inherent security shortcomings in this form of satellite comms to hide the location of its command and control servers (C&C), the command hub of malware-based cyber-operations. Discovering the location of C&C servers can lead investigators to uncover details about the actor behind an operation, something the Turla group has taken great pains to avoid, as Kaspersky Lab explains.

The group first “listens” to the downstream from the satellite to identify active IP addresses of satellite-based internet users.

They then choose an online IP address to be used to mask a C&C server, without (of course) clueing in the legitimate user – who is left completely in the dark

Turla-infected machines are then instructed to exfiltrate (extract) data towards the chosen IPs of regular satellite-based internet users. The data travels through conventional lines to the satellite internet provider’s teleports, then up to the satellite, and finally down from the satellite to the users with the chosen IPs.

The legitimate user, whose IP address has been used by the attackers to receive data from compromised machine, will also receive these packets of data but will be unlikely to spot them. This is because the Turla attackers instruct infected machines to send data to ports that, in the majority of cases, are closed by default. So the PC of a legitimate user will simply drop these packets, while the Turla C&C server – which keeps those ports open – will receive and process the exfiltrated data.

The Turla attackers most often deploy the sat comms exfiltration tactic using providers located in Middle Eastern and African countries. The Turla group used the IP addresses of providers located in countries such as Congo, Lebanon, Libya, Niger, Nigeria, Somalia or the UAE.

“In the past, we’ve seen at least three different actors using satellite-based Internet links to mask their operations,” said Stefan Tanase, senior security researcher at Kaspersky Lab. “Of these, the solution developed by the Turla group is the most interesting and unusual.

“They are able to reach the ultimate level of anonymity by exploiting a widely used technology – one-way satellite internet. The attackers can be anywhere within range of their chosen satellite, an area that can exceed thousands of square kilometers,” he added. ®